Archive for the ‘Identification’ Category

The Obama White House recently released its draft Consumer Privacy Bill of Rights Act (pdf) and a fact sheet. Parts of the draft legislation date to a 2012 white paper (pdf) that laid out a plan to better protect consumer privacy. And last year, the big data group that the White House convened also issued recommendations on privacy (pdf).

The White House has taken important steps in highlighting that individuals need strong privacy protections for their data and in creating the draft legislation. And it is important that the draft legislation attempts to implement the Fair Information Practices: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability. For example, the draft legislation gives several options for responding to companies that would violate the bill’s provisions, including allowing individuals and states attorneys general to file lawsuits.

But there are several significant problems with the proposal that need to be addressed before it can move forward. (The draft does not yet have a legislative sponsor, which it would need in order to be introduced and debated in Congress.)

One problem with the legislation: It would preempt state laws.

SEC. 401. Preemption.
(a) In General.—This Act preempts any provision of a statute, regulation, or rule of a State or local government, with respect to those entities covered pursuant to this Act, to the extent that the provision imposes requirements on covered entities with respect to personal data processing.

In a recent article for Science, researchers Yves-Alexandre de Montjoye, Laura Radaelli, Vivek Kumar Singh, and Alex “Sandy” Pentland showed that the “anonymization” of personal data is not a guarantee of privacy for individuals. Before we discuss their study, let’s consider that it has been almost two decades of researchers telling us that anonymization, or “de-identification,” of private information has significant problems, and individuals can be re-identified and have their privacy breached.

Latanya Sweeney has been researching the issue of de-anonymization or re-identification of data for years. (She has taught at Harvard and Carnegie Mellon and has been the chief technologist for the Federal Trade Commission.) In 1998, she explained how a former governor of Massachusetts had his full medical record re-identified by cross-referencing Census information with de-identified health data. Sweeney also found that, with birth date alone, 12 percent of a population of voters can be re-identified. With birth date and gender, that number increases to 29 percent, and with birth date and Zip code it increases to 69 percent. In 2000, Sweeney found that 87 percent of the U.S. population could be identified with birth date, gender and Zip code. She used 1990 Census data.

In 2008, University of Texas researchers Arvind Narayanan and Vitaly Shmatikov were able to reidentify (pdf) individuals from a dataset that Netflix had released, data that the video-rental and -streaming service had said was anonymized. The researchers said, “Using the Internet Movie Database as the source of background knowledge, we successfully identified the Netflix records of known users, uncovering their apparent political preferences and other potentially sensitive information.” Read more »

Recently, the Independent in the UK reported on the use of spyware by abusers to track and control their victims. “Helplines and women’s refuge charities have reported a dramatic rise in the use of spyware apps to eavesdrop on the victims of domestic violence via their mobiles and other electronic devices, enabling abusers clandestinely to read texts, record calls and view or listen in on victims in real time without their knowledge.”

A 2009 report about stalking from the Department of Justice’s Bureau of Justice Statistics found: “Electronic monitoring was used to stalk 1 in 13 victims. Video or digital cameras were equally likely as listening devices or bugs to be used to electronically monitor victims (46% and 42%). Global positioning system (GPS) technology comprised about a tenth of the electronic monitoring of stalking victims.” (Here’s the 2012 update.) The U.S. National Network to End Domestic Violence has a paper about how abusers and stalkers use technology to control and harass their victims. Read more »

The Federal Trade Commission recently announced that it had charged in a federal court complaint (FTC pdf; archive pdf) that data broker LeapLab “sold the sensitive personal information of hundreds of thousands of consumers — including Social Security and bank account numbers — to scammers who allegedly debited millions from their accounts.” There is an industry for gathering data on individuals — there are data brokers such as LeapLab, Acxiom and Choicepoint, along with individual companies tracking individuals’ online and offline behavior to create consumer profiles. (Here’s a great New York Times article from 2012 that takes an in-depth look at “How Companies Learn Your Secrets.”)

The FTC said, “data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.” Read more »

In the ongoing case concerning Google’s changes to its privacy policies a couple of years ago, the Netherlands announced that it will fine the Internet services giant if it doesn’t meet certain requirements by February 2015. “The Dutch Data Protection Authority (Dutch DPA) has imposed an incremental penalty payment on Google. This sanction may amount to 15 million euros. The reason for the sanction is that Google is acting in breach of several provisions of the Dutch data protection act with its new privacy policy, introduced in 2012.”

Here’s a recap of the controversy and legal questions surrounding Google’s change to its privacy policies. In January 2012, Google announced changes in its privacy policies that would affect users of its services, such as search, Gmail, Google+ and YouTube. Advocates and legislators questioned the changes, saying that there were privacy issues, and criticized (pdf) the Internet services giant for not including an opt-out provision. The critics included 36 U.S. state attorneys general, who wrote to (pdf) Google raising privacy and security questions about the announced privacy policy changes. The EU’s Article 29 Data Protection Working Party wrote to (pdf) to the online services giant about the privacy policy changes, which affect 60 Google services. The Working Party, which includes data protection authorities from all 27 European Union member states as well as the European Data Protection Supervisor, asked Google to halt implementation of these changes while the data protection authority in France (the National Commission for Computing and Civil Liberties, CNIL) investigates. Google refused and its new privacy policies went into effect in March 2012. The CNIL investigation continued, and in January, CNIL fined the Internet services giant €150,000 ($204,000) over privacy violations. Read more »

In the latest news concerning a 2012 circumvention of a Web browser’s privacy settings, New York Attorney General Eric T. Schneiderman announced that digital advertising company PointRoll — part of media giant Gannett, which owns USA Today and Gannett Broadcasting — has agreed to a $750,000 settlement with New York, New Jersey, Connecticut, Florida, Maryland and Illinois.

To recap: In February 2012, the Wall Street Journalreported on new research by Stanford researcher Jonathan Mayer that shows four companies seek to circumvent consumers’ privacy settings in Apple’s browser, Safari. The four companies are: Google, Vibrant Media, Media Innovation Group and PointRoll. Google said the circumvention was a mistake and it has disabled the code, but there was (pdf) public criticism, including a complaint (pdf) filed with the Federal Trade Commission. Questions were raised about whether the Safari circumvention meant that Google had violated a settlement it made with the FTC last year over Google’s Buzz product. The Internet services giant had agreed to a comprehensive privacy program to settle charges (pdf) it “used deceptive tactics and violated its own privacy promises to consumers when it launched its social network, Google Buzz. In August 2012, the FTC announced Google would have to pay a minimal-for-the-Internet-giant fine of $22.5 million to settle charges that it circumvented users’ Do Not Track privacy settings in Safari. In November 2013, Maryland announced that it joined 36 states at the District of Columbia in settling with Google for $17 million. Read more »